Encrypting Informix Connections with SSL Prot ocol Yunming Wang IBM 1
Agenda Introduction to SSL and IBM GSKit Configuring Informix Server for SSL Configuring HA Cluster connections for SSL Configuring Informix client for SSL Configuring Connect ion Manager SSL Troubleshoot ing 2
Introduction to SSL and IBM GSKit Secure Sockets Layer (SSL) A communication protocol that provides secure communications between client and server Certificates based authentication Data encrypted for privacy and integrity Common SSL Terminologies: Certificate: digital document for authentication Public /privat e key pair: for dat a encrypt ion and decrypt ion Cipher specificat ion: specifies dat a encrypt ion algorit hm and key size. Certification Authority or CA: third-party organizations that authorize and endorse t he legit imacy of SSL cert ificat es CA-signed cert ificat es: cert ificat es issued by a CA Self-signed cert ificat es: cert ificat es issued by t he users t hemselves. Keystore: a file that stores certificates, keys, etc. 3
Introduction to SSL and IBM GSKit How SSL works in general: Handshake Key Exchange Client Change Cipher Spec Data Transf er Server 4
Introduction to SSL and IBM GSKit IBM Global Secure Toolkit (GSKit) provides libraries and ut ilit ies for SSL communicat ion: GSKit v8 is installed with Informix 12.10 or CSDK 4.10. Set the GSKIT_VERSION configuration parameter to make the database server use a specific version, if multiple versions are inst alled. You can manage keys, certificates, and certificates request with t he GSKCapiCmd command included in GSKit. Support ed key dat abase t ypes: 5
Introduction to SSL and IBM GSKit Informix loads t he specific built-in version of GSKit libraries. You can manually install GSKit by running $INFORMIXDIR/gskit/installgskit as user root Multiple versions of GSKit may be installed if you installed several versions of Informix, but Informix knows which one to load at run time. Depending on the OS platform, the GSKit will be installed under the different directory: Unix: /opt/ibm Linux: /usr/local/ibm Window s: C:\Program Files\IBM or C:\Program Files (x86)\ibm GSKCapiCmd command-line interface for managing keys, certificates, and cert ificat e request s: 32-bit version 7: gsk7capicmd 32-bit version 8: gsk8capicmd 64-bit version 7: gsk7capicmd_64 64-bit version 8: gsk8capicmd_64 6
Introduction to SSL and IBM GSKit More about keyst ore for Informix Keystore can be created with the GSKCapiCmd command. The keystore for Informix server must be located under $INFORMIXDIR/ssl The keystore for Informix server must be named the same as the Informix server name. Each certificate in the keystore must have a unique label. Only one certificate in the keystore can be the default. You may create more than one default certificate, but only the last one will be t he default. 7
Configuring Informix server for SSL An Informix server instance must be configured to support for SSL protocol before Informix client can make an SSL connection. Two Informix connectivity protocols available for SSL connect ions: onsocssl: SSL protocol for Informix SQLI client drsocssl: SSL prot ocol for Informix DRDA client 8
Configuring Informix server for SSL General guideline for configuring an Informix server instance for SSL connection includes Obt aining an SSL cert ificat e, self-signed or CA-signed Adding the SSL certificate to the key store database on Informix server host with GSKit utility. Configuring Informix server for SSL prot ocol Update ONCONFIG file DBSERVERALIASES(required), inst ance must be specified as an alias SSL_KEY STORE_LABEL(opt ional), if not specified, t he default cert ificat e is used. NETTYPE (optional), if not specified only one poll thread is started. VPCLASS (optional), one encrypt VP is started if not specified. Updat e SQLHOSTS file Restart Informix server and verify the SSL listener is up and listening to the port 9
Configuring Informix server for SSL Example: 1) Login as user informix and set Informix server environment variables 2) Create the keystore database if it does not exist under $INFORMIXDIR/ssl: cd $INFORMIXDIR/ssl gsk8capicmd_64 - keydb - create - db $INFORMIXSERVER.kdb - pw ifxpasswd - type cms stash Once t he gsk8capicmd_64 command complet es, t he follow ing files will be created: ifx1210 fc4.kdb - the "key or key store database" file that the certificates ifx1210 fc4.sth - the "stash" file that stores the an obfuscated version of the key database password Make sure the permissions for both files are set to 60 0 and owned by user informix. 3) Create a self-signed certificate for SSL encryption in the key store database: gsk8capicmd_64 - cert - create - db $INFORMIXSERVER.kdb - pw ifxpasswd - label ifxssl_label - dn "CN=lenexa.ibm.com,O=ibm,C=US" - size 10 2 4 - def ault_cert yes 10
Configuring Informix server for SSL Example (cont.) 4) Updat e t he onconfig.ifx1210fc4 file t o configure a new Informix server inst ance for SSL connect ions: Configure t he server aliases t o include t he server inst ance name for SSL prot ocol: DBSERVERALIASES if x12 10 f c4 ssl Specify the server digital certificate label name in the SSL_KEY STORE_LABEL configuration parameter. SSL_KEY STORE_LABEL ifxssl_label If you do not specify a label name, Informix will use the default certificate in the key store database. Configure 3 poll threads for SSL connections, each handling 100 connections, by using the NETTYPE configuration parameter: NETTYPE socssl,3,100,net Configure 3 Encrypt Virtual Processors (VPs) for SSL encryption and decryption operations, by using the VPCLASS paramet er: VPCLASS encrypt,num= 3 Note, you can also use the onmode -p command to add or drop Encrypt VPs dynamically when the database server is in online mode. You should configure several Encrypt VPs for large syst ems. 11
Configuring Informix server for SSL Example (cont.) 5) Updat e t he SQLHOSTS file t o include t he connect ion informat ion about t he SSL connect ions: ifx1210fc4 onsoctcp ifxhost.lenexa.ibm.com 12141 if x1210 fc4 ssl onsocssl if xhost.lenexa.ibm.com 1214 2 6) Rest art Informix server t o act ivat e t he configurat ion for SSL connect ion: onmode ky oninit -vy The following information about SSL protocol will be logged in the online.log file: 17:48:02 IBM Global Security Kit (GSKit) version 8.0.50.20. 17:48:02 Secure Sockets Layer (SSL) initialized. Once the server is up and running, you can run onstat command to see the Encypt VPs in the output: $ onstat -g ath grep ssl 9 459aa610 0 1 running 9ssl* socsslpoll 10 459c8028 0 1 cond wait arrived 10ssl* socsslpoll 11 459c89f8 0 1 cond wait arrived 11ssl* socsslpoll 15 45a68808 0 2 sleeping forever 1cpu* socssllst 12
Configuring Informix HDR Cluster for SSL An Informix High Availability cluster consists of a primary and one or more secondary servers. Each server in t he clust er needs t o be configured individually for SSL prot ocol. Each server can share t he same SSL cert ificat e or has it s own cert ificat e. The steps to configure the HA cluster servers for SSL includes: 1) Configure the primary server with SSL 2) Transfer the key store database to $INFORMIXDIR/ssl on each secondary server host 3) Rename the.kdb and.sth files with the secondary server instance name. 4) Update the $INFORMIXDIR/etc/$ONCONFIG and $INFORMIXSQLHOSTS files for SSL connection. If one certificate is used, all servers in the cluster will use the same SSL label name in the ONCONFIG file. Ot herwise, each server should use it s own SSL label. 5) Convert one server to the primary mode using the secondary SSL database alias name 6) Convert the other to the secondary mode using the primary SSL database alias name. 13
Configuring Informix HDR Cluster for SSL Example 1) Use t he server previous configured for SSL as t he primary 2) Install the same version of Informix server on another Linux machine called ifxhost2 under the same directory path. 3) Set the environment variables for the HDR secondary server on ifxhost2. 4) Configure the HDR secondary instance using the ONCONFIG file that is modified based on t he primary server's ONCONFIG file : DBSERVERALIASES ifx1210fc4hdrssl SSL_KEY STORE_LABEL NETTYPE socssl,3,100,net VPCLASS encrypt,num=3 if xssl_label # define 3 SSL list ener t hreads # define 3 encrypt ion VP processors 5) Create SQLHOSTS file to include the SSL connection entries, including the one for primary: ifx1210fc4hdrssl onsocssl ifxhost 2 12146 # HDR secondary ifx1210fc4ssl onsocssl ifxhost 12146 # Primary 14
Configuring Informix HDR Cluster for SSL Example (Cont.) 6) Transfer ifx1210fc4.kdb and ifx1210fc4.sth to $INFORMIXDIR/ssl from the if xhost machine where the primary is going to run. 7) Rename ifx1210fc4.kdb and ifx1210fc4.sth to if x1210 f c4 hdr.kdb and if x1210 fc4 hdr.sth, respectively 8) Created a level 0 backup on the primary server and restore it on the HDR secondary. Once ont ape -t STDIO -p < $INFORMIXDIR/t mp/ont ape_l0.prim where, the ontape_l0.prim level 0 backup file is transferred from the ifxhost server. This will convert the server to HDR secondary in Fast Recovery mode: $ onstat - IBM Informix Dynamic Server Version 12.10.FC4 -- Fast Recovery (Sec) -- Up 00:06:19 -- 148076 Kbyt es 15
Configuring Informix HDR Cluster for SSL Example (Cont.) 9) Now we can convert the ifx1210fc4 server on ifxhost to the primary using the HDR server name that is configured for SSL: onmode -d primary ifx1210 fc4 hdrssl 10) On the ifxhost2 machine, convert the server to the HDR secondary using the primary SSL server alias: onmode -d secondary ifx1210 fc4 ssl Once the above steps complete, you can run the 'onstat -g ath' command to show that the communicat ions bet ween t he primary and t he HDR secondary server are now encypt ed: $ onstat -g ath grep smx 115 45bdbb50 44bc0968 3 cond wait smx pipe1 1cpu smxsnd ifx1210fc4hdrssl 116 45bc9178 44bc3528 3 cond wait net norm 8encrypt* smxrcv ifx1210f c4hdrssl 117 4d24d028 44bc3de8 1 sleeping secs: 1 1cpu smxrecvsnd 16
Configuring Informix client for SSL connect ions Informix client must be configured to use the server certificate for SSL connections If self-signed certificate is used, extract the certificate from the server keystore with the gsk8capicmd utility. Example, gsk8capicmd_64 - cert - extract - db $INFORMIXDIR.kdb - f ormat ascii - label ifxssl_label - pw ifxpasswd - target ifxssl_label.cert Transfer t he cert ificat e file t o t he client host for SSL configurat ion. 17
Configuring Informix client for SSL connect ions General st eps t o configure Informix client for SSL connect ions: 1) Transferring the same server SSL certificate(s) to the client machine. 2) Importing the SSL certificate(s) to the client key store database. 3) Configure client for SSL: For CSDK client: Edit INFORMIXDIR/etc/conssl.cfg to specify the key store database and password files Updating connection information in the sqlhosts for SSL protocol For JDBC client: set the sslconnection property on a Connection or DataSource instance to enable SSL set the javax.net.ssl.truststore and javax.net.ssl.truststorepassword system properties to specify the key store and password files. 4) Updat ing t he connect ion st ring in t he applicat ion t o connect t o t he SSL port 5) May need to recompile the application 18
Configuring Informix client for SSL connect ions Example for JDBC client: 1) Import the SSL certificate to a Java key store using keytool utility: C:\temp\testssl> keytool - import - file ssltest.cert - key store key store.jks Ent er key st ore password: <ifxpasswd> Re-ent er new password: <if xpasswd> If the key store.jks key store database does not exist, keytool will create it for you and then import the certificate to it. 2) Update the Java application to enable SSL support and connect to the server SSL port: St ring myurl="jdbc:inf ormix-sqli://ifxhost.lenexa.ibm.com:12142/"+"st ores"+":informixserver= ifx1210 fc4 ssl;"; java.ut il.propert ies propert ies = new java.ut il.propert ies(); propert ies.put("user", ywang"); propert ies.put("passw ord", mypasswd"); propert ies.put("sslconnection", "t rue"); Syst em.set Propert y ("javax.net.ssl.t rust Store","C:\\temp\\ssltest\\key st ore.jks"); Syst em.set Propert y ("javax.net.ssl.t rust StorePassw ord","ifxpasswd"); java.sql.connect ion con = java.sql.drivermanager.get Connect ion(myurl, propert ies); 19
Configuring Informix client for SSL connect ions Example for CSDK client: 1) Create a client key store database if it does not exist: "C:\Program Files (x86)\ibm\gsk8\bin"\gsk8capicmd.exe -keydb -create -db clikeydb.kdb -pw ifxpasswd -type cms -stash 2) Update the Java application to set the sslconnection property on a Connection or Dat asource inst ance and connect t o t he server SSL port. 3) Import the SSL certificate to the client key store database "C:\Program Files (x86)\ibm\gsk8\bin"\gsk8capicmd.exe -cert -add -db clikeydb.kdb -pw ifxpasswd -label ifxssl_label -file ifxssl_label.cert -format ascii 4) Configure Informix CSDK for the location of the client key store database and password file by updating the %INFORMIXDIR%\etc\conssl.cfg file to include the following two ent ries: SSL_KEY STORE_FILE C:\<pat h name>\clikeydb.kdb SSL_KEY STORE_STH C:\<pat h name>\clikeydb.st h The default locat ion: $INFORMIXDIR/et c/client.kdb $INFORMIXDIR/et c/client.st h 20
Configuring Informix client for SSL connect ions Example for CSDK client (cont.): 4) Update the SQLHOSTS registry to include the server SSL alias using the setnet32.exe utility on Windows. ifx1210fc4ssl onsocssl ifxhost.lenexa.ibm.com 12142 On Unix /Linux, we can update the SQLHOSTS file to include the server SSL alias. 6) Update t he connect ion information in the applicat ion for SSL connect ion: For example, ODBC Data Source Name: [ifx1210fc4ssl] Driver=/work/ywang/csdk410fc4/lib/cli/iclit09b.so Database=stores Description=Test Database Servername=if x1210 f c4 ssl CursorBehavior=0 HostName=ifxhost.lenexa.ibm.com PortNumberonso=12142 Protocol=onsocssl.Net Provider: const string connectionstring = "Host=ifxhost.lenexa.ibm.com;Server= ifx1210fc4ssl; database=stores; uid=ywang; password=mypasswd;"; ESQL/C: SQL EXEC CONNECT TO stores@ if x1210 f c4 ssl 21
Configuring Informix Connection Manager for SSL connect ions IBM Informix Connect ion Manager (CM): A delegate to route the client connections to the appropriate server based on SLA. A middle tier that runs as a server to the client and as a client to the Informix database server CM can use the same certificate as the servers or a different cert ificat e CM currently uses only the default certificate in the keystore dat abase for SSL connect ions If no default certificate specified in the CM key store database, the SSL connections can fail with error of GSK_ERROR_SOCKET_CLOSED 22
Configuring Informix Connection Manager for SSL connect ions IBM Informix Connect ion Manager (CM): A delegate to route the client connections to the appropriate server based on SLA. A middle tier that runs as a server to the client and as a client to the Informix database server CM can use the same certificate as the servers or a different certificate Simpler t o configure CM wit h t he same cert ificat e shared by t he servers May save cost if the certificate is obtained from a third-party CA Better security if CM uses different certificate from the servers. CM currently uses only the default certificate in the keystore database for SSL connections If no default certificate specified in the CM key store database, the SSL connect ions can fail wit h error of GSK_ERROR_SOCKET_CLOSED The client key store database should contain the SSL certificates from both the CM and the server when CM is in redirect mode. 23
Configuring Informix Connection Manager for SSL connect ions Checking if the CM keystore database contains a default certificate: gsk8capicmd_64 -cert -list -db <your CM key st ore dat abase> For example, $ gsk8capicmd_6 4 - cert - list - db $INFORMIXDIR/etc/client.kdb - pw if xpassw d Cert ificat es found * default, - personal,! trusted, # secret key - cmssl_label! ifxssl_label As shown above, there is no default certificate in the CM key store database. You can set the cmssl_label certificate to the default using the following command: gsk8capicmd_64 -cert -setdef ault -label cmssl_label -db $INFORMIXDIR/et c/client.kdb -pw ifxpasswd 24
Configuring Informix Connection Manager for SSL connect ions Example: CM Version: 4.10.FC4 on Linux x86_64 CM configurat ion before SSL support: NAME CM_ywang LOGFILE /work/ywang/test/cm/cm410fc4.log DEBUG 0 CM_TIMEOUT 60 EVENT_TIMEOUT 60 cluster hdr_test { INFORMIXSERVER ifx1210fc4,ifx1210fc4hdr SQLHOSTS LOCAL SLA sla1 DBSERVERS=primary USEALIASES=OFF SLA sla2 DBSERVERS=HDR USEALIASES=OFF FOC ORDER=primary,HDR TIMEOUT=120 PRIORITY=1 RETRY=1 } 25
Configuring Informix Connection Manager for SSL connect ions Example (cont.): 1) Create a key store database if it does not exist: gsk8capicmd_64 -keydb -creat e -db cmkeydb.kdb -pw ifxpasswd -t ype cms st ash 3) Create a new self-signed certificate for each SLA listener, in this case two certificates are created since we have two SLA policies: gsk8capicmd_64 -cert -create -db cmkeydb.kdb -pw ifxpasswd -label slassl1 -dn "CN=lenexa.ibm.com,O=ibm,C=US" -size 1024 -default_cert yes 4) Import ing t he server cert ificat e gsk8capicmd_64 -cert -add -db cmkeydb.kdb -pw ifxpasswd -label ifxssl_labellabel -file ifxssl_labellabel.cert -format ascii 5) Configure the CM to use the above cmkeydb.kdb key store database by updating the $INFORMIXIDR/etc/conssl.cfg file: SSL_KEY STORE_FILE /work/yw ang/csdk410fc3/ssl/cmkeydb.kdb SSL_KEY STORE_STH /work/ywang/csdk410fc3/ssl/cmkeydb.sth 6) Updat e t he CM configurat ion file t o use SSL connect ions: INFORMIXSERVER ifx1210 fc4 ssl,if x1210 fc4 hdrssl SLA slassl1 DBSERVERS=primary HOST=ifxcmhost SERVICE=6678 NETTYPE=onsocssl SLA slassl2 DBSERVERS=HDR HOST=ifxcmhost SERVICE=6679 NETTYPE=onsocssl 7) Restart the CM instance 26
Troubleshoot ing To troubleshoot problems with SSL connection, you may check t he following it ems On server side: If t he key st ore dat abase and password f ile are under $INFORMIXDIR/ssl If the key store database uses the same name as the Informix instance If t he permission set t ings on t he key st ore database and password file are correct If t he port number is not being in use On t he client side: Make sure the server certificates are imported properly to the client key store dat abase Make sure $INFORMIXDIR/etc/conssl.cfg is updated to point to the correct key store dat abase and password file Make sure t he right version of GSKit is used for cert ificat e management On Windows, make sure the command window for GSKit utility is not launched by Admin 27
Questions? 28